We're all familiar with the CAPTCHA tests - images full of squiggly letters and made up words - that are meant to tell apart humans and computers, but what if you want to tell apart one person from another? In the case of Facebook, you have the perfect dataset at hand - all of that person's friends.
Today, Facebook said that it had begun testing a new security feature it's calling "Social Authentication", which intends to make sure that the person signing into Facebook is indeed the account holder and not a hacker.
Facebook security engineer Alex Rice writes that Facebook strives to put people at the center of all experience and that "We also want to bring the benefits of social design to experiences where you wouldn't traditionally expect them, like account security."
"Instead of showing you a traditional captcha on Facebook, one of the ways we may help verify your identity is through social authentication," writes Rice. "We will show you a few pictures of your friends and ask you to name the person in those photos. Hackers halfway across the world might know your password, but they don't know who your friends are."
With traditional CAPTCHA tests, you can ask for a new image if the letters or words are unclear. We hope that Facebook offers the same, though most users are unlikely to ever see this feature. We don't know about you, but we have to wonder if we could visually identify each and every one of our Facebook friends, though we're sure they've thought of this fact. As the image above shows, it looks like the service uses facial recognition to at least assure that you aren't trying to identify your friend's cartoon character or otherwise inhuman avatars. It also looks like you get a number of "skips" per security check, accounting for the fact that yes, some of us can't properly identify all of our high school friends that we're now Facebook friends with (for some reason or another).
For you security-minded folks, make sure to read Audrey Watters' write-up of Facebook's other important security addition of the day, "always on" HTTPS.